Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Informational RustSec Advisory Presentation #683

Closed
pinkforest opened this issue Sep 17, 2022 · 3 comments
Closed

Informational RustSec Advisory Presentation #683

pinkforest opened this issue Sep 17, 2022 · 3 comments

Comments

@pinkforest
Copy link

pinkforest commented Sep 17, 2022
edited
Loading

e.g. ansi_term we provided informational advisory: https://rustsec.org/advisories/RUSTSEC-2021-0139.html
But GHSA has different intepretation / representation: GHSA-74w3-p89x-ffgh

It's an advisory as others but it should be represented in canonical way as RustSec database implicitly intended.

Informational advisories do have security related concerns but these are nonetheless different to regular advisories -

It is database specific OSV attribute:

  "affected": [
      "database_specific": {
        "informational": "unmaintained"
      },

Problem is GHSA / Dependabot as of now does not take into account of different advisory types as canonical representation.

GHSA / Dependabot also assumes "Critical" severity which is incorrect when we don't even flag CVSS for these -

We had a dicussion about it here:
https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/topic/github.20advisory.20flags.20as.20critical/near/299276275

Also I see that GHSA / Dependabot omits the provided actionable advice that is helpful to anyone intepreting these advisories - nonetheless it does link to the original RUSTSEC advisory but I think Dependabot should include this actionable "fix" - if any given people might be just fine using unmaintained - for any given time - based on what ever individual / project opinion they hold as to whether to migrate or not.

I've raised another issue about the omitting actionable advice: #684
@pinkforest pinkforest mentioned this issue Sep 17, 2022
Closed
@Emilgardis Emilgardis mentioned this issue Sep 17, 2022
Merged
@darakian
Copy link
Contributor

Hey @pinkforest 👋

Sorry for the delayed reply. Are you referring to the Possible Alternative(s) section of the rustsec advisory?

@pinkforest
Copy link
Author

pinkforest commented Oct 17, 2022
edited
Loading

Yes correct -

We've been thinking of standardising it and making it more machine readable and something that we can dynamically update outside advisory w/ alternatives = ["dynamic-list1", ".."]

rustsec/rustsec#658

There is also sometimes context relevant / specific information around the major dependencies / transient dependencies who would need to bump up in between.

Also something we've thought e.g. fix-paths = { "bar" = [ "semVers" ] }

rustsec/rustsec#695

@darakian
Copy link
Contributor

Gotcha. The machine readable alternatives is an interesting idea. At the moment we avoid suggesting alternatives to avoid the quagmire of edge cases that follow. In this case we really shouldn't have broadcasted ansi_term advisory either. That said maybe this is something we discuss going forward.

@pinkforest pinkforest closed this as not planned Won't fix, can't repro, duplicate, stale Oct 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@darakian @pinkforest